High Performance Tuning
CPU Affinity/Pinning
For best performance, CPU intensive processes like Zeek and Suricata should be pinned to specific CPUs. In most cases, you’ll want to pin sniffing processes to the same CPU that your sniffing NIC is bound to. For more information, please see the Performance subsection in the appropriate Suricata and Zeek sections.
Misc
RSS
Disk/Memory
hdparm
to gather drive statistics and alter settings, as described here:vm.dirty_ratio
is the maximum amount of system memory that can be filled with dirty pages before everything must get committed to disk.
vm.dirty_background_ratio
is the percentage of system memory that can be filled with “dirty” pages, or memory pages that still need to be written to disk – before the pdflush/flush/kdmflush background processes kick in to write it to disk.
Elastic
You will want to make sure that each part of the pipeline is operating at maximum efficiency. Depending on your configuration, this may include Elastic Agent, Logstash, Redis, and Elasticsearch.